Two critical weaknesses recently came to light in Microsoft’s Entra ID platform could have given attackers unprecedented control over nearly every Azure cloud customer. The flaws were discovered and reported responsibly, allowing Microsoft to release fixes before attackers were able to exploit them.
Entra ID, previously known as Azure Active Directory, is the identity management system that controls how users log in, what resources they can reach, and who has administrator rights. It is a core service for businesses worldwide, which means any failure in its security could ripple across countless organizations at once.
Dutch security researcher Dirk-jan Mollema, who specializes in cloud identity security, identified the flaws while preparing material for a cybersecurity conference. What he found was alarming: the two vulnerabilities, when combined, created a path for attackers to impersonate users and escalate privileges to the highest level, effectively granting full control of customer environments.
The first weakness involved so-called “Actor Tokens,” a type of authentication token issued by an old Microsoft system known as Access Control Service. These tokens carried unusual privileges that, on their own, posed little risk but became dangerous when chained with a second issue. That second vulnerability was buried in Azure Active Directory Graph, a legacy interface used to access Microsoft 365 data. Unlike its modern replacement, Microsoft Graph, the older system did not properly check which tenant— a customer’s isolated cloud environment was sending a request. By combining the two flaws, attackers could trick the system into accepting tokens from outside tenants, opening the door to total compromise.
With administrator-level access, attackers would have been able to add new privileged accounts, alter security settings, and access sensitive information. Experts warned that such attacks could bypass common safeguards like multifactor authentication and leave minimal traces in activity logs, making them particularly dangerous.
Mollema disclosed his findings to Microsoft on July 14. The company began work the same day, deployed a fix globally within days, and later introduced additional protections. A vulnerability identifier (CVE) was issued in September, and Microsoft confirmed that no evidence of exploitation was found during its investigation.
Security researchers have compared the potential fallout to past incidents where authentication weaknesses enabled large-scale breaches. While the flaws in Entra ID never reached that point, the discovery illustrates how overlooked legacy systems can undermine modern security frameworks.
Microsoft has since retired the affected components and emphasized its commitment to phasing out outdated protocols. For organizations using Entra ID, the incident highlights the need to remain alert to vendor advisories, apply updates quickly, and watch for unusual activity in administrative accounts.
The vulnerabilities may now be closed, but they reveal how hidden dependencies in cloud infrastructure can become high-risk targets. As cloud identity systems continue to expand, the security community will likely scrutinize them even more closely for weaknesses of this scale.
